Solved

Big Sur 11.4 + Netskope + peruserconfigmode = certain installation issues

  • 17 July 2021
  • 4 replies
  • 50 views

Badge +7

For our Macintosh computers, running Big Sur 11.4 - we have now spent hours trying to figure out peruserconfig mode, juggling WS1 configurarions, system extension files, client side modifications, and generally attempting every possible way to get this Netskope Client software to work under VMWare's Airwatch / Workspace One MDM (and even done manually using macOS Terminal). Nothing works reliably to completion.

 We have engaged Netskope 3rd party support, to no avail.

Netskope have online instructions, but these do not seem to be sufficient to cover a fully working setup. Indeed, if you compare them to their own JAMF instructions, you see almost a 2 to 1 difference in the length of the instructions.

Note: our org knows it can use the email invite method, we have that working to be fair. But it's far from Mgmt.'s first choice, so we are very much hoping for a viable peruserconfig mode methodology. 

Referring to the online instructions at:

https://docs.netskope.com/en/deploy-netskope-client-with-airwatch.html

  1. When the manifest is ultimately pushed to the clients we see the “Netskope Client would like to allow proxy configs” prompt and we allow it
  2. We verify that Full Disk Access has been allowed for the Netskope client (nowhere mentioned in their online URL above btw, but we ensure its been done)
  3. We have setup WS1 to specifically allow the two Netskope proxy extensions (one app and one dns)
  4. We see the the manifest contents (two shell scripts a .pkg file) load into /tmp on the test machines
  5. We click on the link at the bottom of the Configuration panel, and 99% of the time it does not work (our definition of working:
    1. The link connects to its destination, and presumably downloads or updates the existing client, taking approximately 1-3 seconds to do so) to where the Apple macOS menubar icon turns from greyscale to colored
    2. Typing in known banned URL's – instead of them being still allowed, we see "access denied" on screen

Any assistance or insight genuinely appreciated.

icon

Best answer by mkoyfman 21 July 2021, 20:58

View original

4 replies

Userlevel 4
Badge +14

@Roger_smyth thanks for posting - we can definitely work to help resolve the situation you've described.  Since JAMF is the leading Mac EMM/MDM solution, we have always had the most comprehensive/complete instructions to cover various JAMF scenarios(which include non-domain-joined endpoints), while AirWatch instructions only cover domain-joined endpoints.   Thus, wanted to ask you a couple clarifying questions first:

 

1. Have you tried those instructions on Catalina Mac devices and if so, do they work as expected and the only issue is encountered is on Big Sur?

2. What is your understanding of peruserconfig mode?  peruserconfig more is there to ensure that a unique Netskope user config exists per local user account profile.  Are you expecting to have multiple unique users on the same Mac devices?

 

Also, if you have opened a case with Netskope support about this, please DM me the case number

Badge +7

Hi M,

 

we have no Catalina Macs so we have no option to test in that way.

 

We understand peruserconfig mode to allow each of our Mac users to be configured / enabled without having to resort to an email to each one (Mgmt does not prefer this). We configure this mode via command line arguments in the Airwatch-preinstall.sh script, using the normative arguments here: addon-company.goskope.com unique alpha numeric string peruserconfig.

 

We push the Airwatch pre and post install scripts and PKG via manifest inside WS1, and we trigger client Mac's  "Netskope Client would like to allow proxy configs" by logging out and back in. We allow that proxy function in Full Disk Access on the Mac. 

 

We click "enable Netskope" in the menubar greyscale icon, and even resort to clicking the Configuration Update link, to no avail. We expect the Netskope greyscale icon to turn to color, but it never does. 

 

We have dedicated computers for our users. nobody is sharing. 

We have had Netskope customer service on this already, but as I have suggested, so far they - and their expert - have not been much help. 

 

 

 

Userlevel 4
Badge +14

@Roger_smyth please DM me Netskope case number and/or names of people you're working with on this issue.  Installing Netskope client on Big Sur is quite different than on Catalina.  There are new config extensions that need to be allowlisted by the MDM and also Netskope tenant root and intermediate CAs should be pushed out as a Certificate by WS1 independently of Netskope client installation.  We can take this offline and ensure we work together to achieve a successful resolution of this for you. 

Userlevel 4
Badge +14

to close the loop on this - the instructions on Netskope side are valid, but there are a couple of additions that need to be reflected specifically for Big Sur deployments.  They are actually in one profile, one part if Netskope Root and tenant intermediate CAs that need to be deployed as Certificates to ensure endpoint trusts them once the tunnel starts up, and another is a predefined VPN connection that preapproves the Proxy settings and removes any need for end-user interaction with the client during installation.

 

A secondary topic to be aware of is that when Macs are domain-joined, and Netskope client is being rolled out, during the installation the endpoint must be able to reach the domain controller to verify user identity.  If the user is remote, for example then the VPN tunnel must be up providing this connectivity.  This requirement is not Big Sur-specific.



Reply